False Positive

[wildman424]

Its an early crude version of Buttons' Kobra Text, While experimenting with work-a-rounds to counter malware blocking it from running, he renamed the executable to explorer.exe .

The source code is freely available from our site, under the GNU GPL3.

File name: explorer.exe

Submission date: 2011-12-25 04:44:51 (UTC)

First seen: 2011-02-25 02:04:51

Last seen : 2011-12-25 04:44:51

Result: 1/ 42 (2.4%)

File size: 681984 bytes

MD5: 8d1be016626ad6fc5411228e4a8d2d83

SHA1: 3b558f109a78365ec3be1a022716929baaa15c1a

SHA256: 9a8cd514b789201555581a104aadce00b50344fa37d67b1de7f2e01ad15abd83

sigcheck:

publisher....: Cyber Stealth Labs

copyright....: Copyright © 2011 Cyber Stealth Labs

product......: Kobra Text

description..: Kobra Text

original name: Kobra Text.exe

internal name: Kobra Text.exe

file version.: 1.0.0.0

comments.....: Plain text editor

signers......: -

signing date.: -

verified.....: Unsigned

http://www.virustotal.com/file-scan/report.html?id=9a8cd514b789201555581a104aadce00b50344fa37d67b1de7f2e01ad15abd83-1324788291

Malwarebytes Anti-Malware (PRO) 1.60.0.1600
www.malwarebytes.org

Database version: v2011.12.25.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
wildman424 :: WildThang1 [administrator]

Protection: Enabled

12/25/2011 12:10:15 AM
mbam-log-2011-12-25 (00-10-40).txt

Scan type: Flash scan
Scan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled: Registry | File System
Objects scanned: 186362
Time elapsed: 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\wildman424\Downloads\explorer.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.
 [d66f049c60eed264fe09b8ed2dd7e51b]

(end)

Edit:

just a note - I think that file version info is incorrect, the UI looks like version .0005 or .0006

we released a version 1.0 but it has a completely different UI, and we're currently writing a new version in C#... C++

[shadowwar]

Afraid this is not a false positive. Its detected by this:

Heuristics.Reserved.Word.Exploit

Which is a heuristic meaning nothing should be named explorer.exe outside of its proper folder.

[wildman424]

the Heuristics.Reserved.Word.Exploit detection on the file makes perfect sense since there's boo-coos of malware out there that likes to name it self explorer.exe and place it self in unusual locations. Just saying this file isn't one of them. We've seen many executable renamed like this as a work-a-round without getting a hit.

Just so you understand as one of its developers I have to step in and say something to protect its name when this kinda things happen.

[DarkSnakeKobra]

The latest update does not appear to be detecting it anymore. However, I'm a bit disappointed in Malwarebytes' response. The reason Kobra Text is named explorer.exe is to avoid being blocked by malware so a user can write a batch/registry script to (hopefully) remove the problem. Currently ddd is not being blocked when naming it the same and Malwarebytes' new Chameleon files which are also not being detected by heuristics. As long as it has a legitimate purpose and does not behave maliciously then there should be no issue.

Edit: My mistake it still appeared during a quick scan however when I right clicked scanned it, it was not detected.

[shadowwar]

With 1.60 we will have the capability of more powerful whitelisting.

I will whitelist it now but if you change it at all it may fall under this def again on 1.51. How often does your file change?

Dont get me wrong guys. Was just trying to explain how that def works. Basically anything named explorer.exe outside of windir and sysdir gets flagged as that unless its whitelisted. Not as a trojan but to alert the user that something may be up. If its on purpose it can be added to ignore list.

[DarkSnakeKobra]

With 1.60 we will have the capability of more powerful whitelisting.

I will whitelist it now but if you change it at all it may fall under this def again on 1.51. How often does your file change?

Dont get me wrong guys. Was just trying to explain how that def works. Basically anything named explorer.exe outside of windir and sysdir gets flagged as that unless its whitelisted. Not as a trojan but to alert the user that something may be up. If its on purpose it can be added to ignore list.

I see that's understandable. I'll probably post a warning about these false detentions. So far it is just a start up project and not a whole lot has been done. I recently switched the license to open source so I'm hoping for it to be more active and maybe once every 3 months an update. I'm not going to worry too much about this.

[shadowwar]

Ok i am getting it added for the version you have uploaded. Remind me again once 1.60 is released and will see what i can do to cover multiple versions of the file.

[DarkSnakeKobra]

Thank you very much and will do that. Apologize for the misunderstanding. It's frustrating when your product is flagged.

[shadowwar]

No problem. Appreciate you reporting. Just wanted you to understand the only reason it was hit cause it was named explorer.exe and not whitelisted.

[wildman424]

Thank You Rich.

[DarkSnakeKobra]

No problem. Appreciate you reporting. Just wanted you to understand the only reason it was hit cause it was named explorer.exe and not whitelisted.

Yep Jiangmin(Virus Total report) also detected it when it was named explorer.exe compared to the non explorer name. We decided against using this and will recommend it only when necessary. Thanks.